Mermaid diagrams would no longer render correctly, and also, had to allow custom frame sources related to *.soundcloud.com
, in order to still load the embedded frames for the audio-section:
Header set Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'self' *.soundcloud.com"
Beside of these, I basically just had to consider a few static security settings, like not allowing to access the server via insecure transports, deny the page to be embedded and similar.
Header set Referrer-Policy "strict-origin"
Header set Strict-Transport-Security "max-age=63072000"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "deny"
All in all, it took about 90 minutes to read and re-configure everything, not thaaat painful, IMO.
It would’ve also been possible to get a full 120-score in that test, but this would’ve basically required two significant changes:
astro.config
:export default defineConfig({
// ...
build: {
inlineStylesheets: 'never'
},
// ...
});
<img>
-tags…but I’ve been too lazy to even try, because right now, I’m still using Astro v2.9
… so, I’ll keep that in mind and check out static SVG-rendering when I start fiddling/porting my stuff to Astro v4+
instead 🙈